@clipboard-health/groundcrew 4.3.1 → 4.3.3

package/dist/lib/adapters/linear/writeback.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"writeback.d.ts","sourceRoot":"","sources":["../../../../src/lib/adapters/linear/writeback.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAIhD,UAAU,oBAAoB;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,UAAU,wBAAwB;IAChC,cAAc,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5D;AAED,wBAAgB,8BAA8B,CAAC,UAAU,EAAE;IACzD,MAAM,EAAE,YAAY,CAAC;CACtB,GAAG,wBAAwB,CAgD3B"}
+{"version":3,"file":"writeback.d.ts","sourceRoot":"","sources":["../../../../src/lib/adapters/linear/writeback.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAIhD,UAAU,oBAAoB;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,UAAU,wBAAwB;IAChC,cAAc,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5D;AAED,wBAAgB,8BAA8B,CAAC,UAAU,EAAE;IACzD,MAAM,EAAE,YAAY,CAAC;CACtB,GAAG,wBAAwB,CAuD3B"}

package/dist/lib/adapters/linear/writeback.js

@@ -1,8 +1,8 @@
 import { log } from "../../util.js";
 export function createLinearIssueStatusUpdater(arguments_) {
     const { client } = arguments_;
-    // Positive cache only. Keyed by teamId because the workflow `state.type ===
-    // "started"` lookup yields a single stateId per team — independent of which
+    // Positive cache only. Keyed by teamId because the in-progress-state
+    // resolution yields a single stateId per team — independent of which
     // project the ticket belongs to. State ids don't change for misconfig
     // reasons, so caching successful resolutions is safe across the process.
     //
@@ -23,10 +23,16 @@ export function createLinearIssueStatusUpdater(arguments_) {
         }
         const team = await client.team(teamId);
         const states = await team.states();
-        // Use the workflow state's `type` — Linear standardises on `started` for
-        // in-progress columns regardless of how the user renames them, so this
-        // works without any per-team status-name configuration.
-        const inProgress = states.nodes.find((state) => state.type === "started");
+        // Linear's default workflow has MULTIPLE `started`-type states — both
+        // "In Progress" and "In Review" are `started`. `team.states()` orders by
+        // updatedAt (the connection has no position ordering), so array order
+        // can't disambiguate them. Prefer the state literally named "In Progress";
+        // otherwise fall back to the lowest-position (leftmost) `started` column,
+        // which by Linear convention is the in-progress one. This survives teams
+        // that rename the column ("Doing", "WIP", ...).
+        const startedStates = states.nodes.filter((state) => state.type === "started");
+        const inProgress = startedStates.find((state) => state.name.trim().toLowerCase() === "in progress") ??
+            startedStates.toSorted((a, b) => a.position - b.position).at(0);
         if (inProgress?.id === undefined) {
             return undefined;
         }

package/dist/lib/launchCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"launchCommand.d.ts","sourceRoot":"","sources":["../../src/lib/launchCommand.ts"],"names":[],"mappings":"AAGA,OAAO,EAAsB,KAAK,WAAW,EAAE,KAAK,eAAe,EAAE,MAAM,aAAa,CAAC;AAGzF,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C;;;;;;;;;GASG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,GAAE,MAAwB,GAAG,MAAM,CAcvF;AAID;;;GAGG;AACH,eAAO,MAAM,aAAa,mFACwD,CAAC;AAiCnF,UAAU,sBAAsB;IAC9B,UAAU,EAAE,eAAe,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;IACpB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAClC;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,sBAAsB,GAAG,MAAM,CAQ7E"}
+{"version":3,"file":"launchCommand.d.ts","sourceRoot":"","sources":["../../src/lib/launchCommand.ts"],"names":[],"mappings":"AAGA,OAAO,EAAsB,KAAK,WAAW,EAAE,KAAK,eAAe,EAAE,MAAM,aAAa,CAAC;AAGzF,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C;;;;;;;;;GASG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,GAAE,MAAwB,GAAG,MAAM,CAcvF;AAID;;;GAGG;AACH,eAAO,MAAM,aAAa,mFACwD,CAAC;AAiHnF,UAAU,sBAAsB;IAC9B,UAAU,EAAE,eAAe,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACjC;;;;OAIG;IACH,MAAM,EAAE,WAAW,CAAC;IACpB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAClC;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,sBAAsB,GAAG,MAAM,CAQ7E"}

package/dist/lib/launchCommand.js

@@ -1,5 +1,5 @@
 import { createRequire } from "node:module";
-import { dirname, resolve } from "node:path";
+import { basename, dirname, resolve } from "node:path";
 import { BUILD_SECRET_NAMES } from "./config.js";
 import { shellSingleQuote } from "./shell.js";
 export { shellSingleQuote } from "./shell.js";
@@ -53,6 +53,77 @@ function sourceSecretsLine(secretsFile) {
 function unsetSecretsLine() {
     return `unset ${BUILD_SECRET_NAMES.join(" ")}`;
 }
+function tokenizeShellPrefix(command) {
+    const tokens = [];
+    let current = "";
+    let quote;
+    let isEscaped = false;
+    for (const character of command.trim()) {
+        if (isEscaped) {
+            current += character;
+            isEscaped = false;
+            continue;
+        }
+        if (character === "\\" && quote !== "'") {
+            isEscaped = true;
+            continue;
+        }
+        if (quote !== undefined) {
+            if (character === quote) {
+                quote = undefined;
+            }
+            else {
+                current += character;
+            }
+            continue;
+        }
+        if (character === "'" || character === '"') {
+            quote = character;
+            continue;
+        }
+        if (/\s/.test(character)) {
+            if (current.length > 0) {
+                tokens.push(current);
+                current = "";
+            }
+            continue;
+        }
+        current += character;
+    }
+    if (current.length > 0) {
+        tokens.push(current);
+    }
+    return tokens;
+}
+function isEnvironmentAssignment(token) {
+    return /^[A-Za-z_][A-Za-z0-9_]*=/.test(token);
+}
+function safehouseProfileCommandName(agentCmd) {
+    const tokens = tokenizeShellPrefix(agentCmd);
+    let tokenIndex = tokens[0] === "env" ? 1 : 0;
+    if (tokens[0] === "env" && tokens[tokenIndex] === "--") {
+        tokenIndex += 1;
+    }
+    let commandToken;
+    for (const token of tokens.slice(tokenIndex)) {
+        if (isEnvironmentAssignment(token)) {
+            continue;
+        }
+        commandToken = token;
+        break;
+    }
+    if (commandToken === undefined) {
+        throw new Error(`Cannot infer Safehouse agent profile command from model cmd ${JSON.stringify(agentCmd)}.`);
+    }
+    const commandName = basename(commandToken);
+    if (commandName === "." ||
+        commandName === ".." ||
+        commandName.startsWith("-") ||
+        !/^[A-Za-z0-9._-]+$/.test(commandName)) {
+        throw new Error(`Cannot use ${JSON.stringify(commandName)} as a Safehouse agent profile command name inferred from model cmd ${JSON.stringify(agentCmd)}.`);
+    }
+    return commandName;
+}
 /**
  * Build the shell command that runs inside the workspace. The prompt is
  * staged in a temp file (so backticks/quotes/$ in the description survive),
@@ -106,35 +177,46 @@ function buildUnwrappedHostLaunchCommand(arguments_) {
     return lines.join(" && ");
 }
 /**
- * Safehouse launch. Setup runs *inside* the `safehouse-clearance` wrap (mirroring
- * the sdx runner) so the repo's `.groundcrew/setup.sh` and its `npm install` are
- * filesystem-isolated and egress-restricted, rather than running on the bare host.
+ * Safehouse launch. Setup runs *inside* a plain `safehouse-clearance` wrap
+ * (mirroring the sdx runner) so the repo's `.groundcrew/setup.sh` and its
+ * `npm install` are filesystem-isolated and egress-restricted without inheriting
+ * agent credentials/state grants. The agent then runs in a second Safehouse wrap
+ * through an agent-named shim so Safehouse can select only the agent profile.
  *
  * Build secrets are sourced into the host launch shell so Safehouse can forward
  * them into the sandbox via `--env-pass` (Safehouse's `--env=FILE` mode otherwise
- * strips them); they're `unset` inside the wrap after setup so the agent process
- * never inherits them. The host keeps only `cd`, the prompt read, and the wrap exec.
+ * strips them); they're `unset` on the host after setup and not passed to the
+ * agent wrap. The host keeps `cd`, the prompt read, and a temporary
+ * command-named shim so Safehouse can select the intended agent profile while
+ * the actual agent command remains `sh -lc`.
  */
 function buildSafehouseLaunchCommand(arguments_) {
     const promptDir = dirname(arguments_.promptFile);
+    const safehouseCommandName = safehouseProfileCommandName(arguments_.definition.cmd);
     const agentCmd = renderAgentCommand({
         agentCmd: arguments_.definition.cmd,
         worktreeDir: arguments_.worktreeDir,
         sandboxName: "",
     });
-    const innerParts = [setupWithStatusReporting(SETUP_COMMAND)];
-    if (arguments_.secretsFile !== undefined) {
-        innerParts.push(unsetSecretsLine());
-    }
-    innerParts.push(`exec ${agentCmd} "$@"`);
-    const innerCommand = innerParts.join("; ");
-    // Trailing space keeps the flag and `sh` separated; empty when no secrets.
+    const setupCommand = setupWithStatusReporting(SETUP_COMMAND);
+    const agentCommand = `exec ${agentCmd} "$@"`;
+    // Trailing space keeps the flag and setup command separated; empty when no secrets.
     const envPassFlag = arguments_.secretsFile === undefined ? "" : `--env-pass=${BUILD_SECRET_NAMES.join(",")} `;
+    const safehouseWrapper = shellSingleQuote(SAFEHOUSE_CLEARANCE_WRAPPER_PATH);
     const lines = [`cd ${shellSingleQuote(arguments_.worktreeDir)}`];
     if (arguments_.secretsFile !== undefined) {
         lines.push(sourceSecretsLine(arguments_.secretsFile));
     }
-    lines.push(`_p=$(cat ${shellSingleQuote(arguments_.promptFile)})`, `rm -rf ${shellSingleQuote(promptDir)}`, `exec ${shellSingleQuote(SAFEHOUSE_CLEARANCE_WRAPPER_PATH)} ${envPassFlag}sh -lc ${shellSingleQuote(innerCommand)} sh "$_p"`);
+    lines.push(`_p=$(cat ${shellSingleQuote(arguments_.promptFile)})`, `rm -rf ${shellSingleQuote(promptDir)}`, `${safehouseWrapper} ${envPassFlag}sh -lc ${shellSingleQuote(setupCommand)}`);
+    if (arguments_.secretsFile !== undefined) {
+        lines.push(unsetSecretsLine());
+    }
+    lines.push(`_safehouse_shim_dir=$(mktemp -d "\${TMPDIR:-/tmp}/groundcrew-safehouse-XXXXXX")`, `trap 'rm -rf "$_safehouse_shim_dir"' EXIT`, `_safehouse_shim="$_safehouse_shim_dir/${safehouseCommandName}"`, `ln -s /bin/sh "$_safehouse_shim"`, 
+    // Safehouse selects an agent profile from the wrapped command's basename.
+    // Running the real launch chain as `sh -lc` would make it see `sh`, so use
+    // an agent-named symlink to /bin/sh. This preserves per-agent profile
+    // selection without enabling every agent profile.
+    `${safehouseWrapper} "$_safehouse_shim" -lc ${shellSingleQuote(agentCommand)} sh "$_p"; _safehouse_status=$?; rm -rf "$_safehouse_shim_dir"; trap - EXIT; exit "$_safehouse_status"`);
     return lines.join(" && ");
 }
 function buildSdxLaunchCommand(arguments_) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clipboard-health/groundcrew",
-  "version": "4.3.1",
+  "version": "4.3.3",
   "description": "Linear-driven orchestrator that launches AI coding agents in git worktrees, with workspace lifecycle and usage tracking.",
   "keywords": [
     "agent",